UK hints at DORA equivalent as EU pursues digital finance reform

A document published to accompany the Queen’s Speech earlier this week referred to the government’s plans for new legislation to support resilient outsourcing to technology providers in the financial services sector – an issue specifically addressed in the EU DORA proposals.

The prospect of a UK DORA has emerged at a time when operational resilience in financial services has become a major focus of UK regulators and coincides with the EU DORA moving closer to being finalised. Provisional agreement on the EU DORA was reached by the EU’s two law-making bodies – the European Parliament and Council of Ministers – earlier this week.

Angus McFadyen of Pinsent Masons, specialist in the application of technology law in the financial services sector, said the regulation of critical technology suppliers is an area of increasing interest internationally.

He said: “We already know that UK regulators intend to publish a joint discussion paper on ‘critical third parties’ in UK financial services later this year and that the regulators are working with the Treasury ‘on potential ways to address the risks’ those critical third parties pose. It is a logical extension of this that the government would seek to legislate in this area – and potentially go as far as to bring critical third parties, such as technology providers that several large financial institutions rely on, within direct scope of financial services regulation on operational resilience.”

Out-Law has asked the Treasury to confirm the nature and purpose of the legislation it is planning to support resilient outsourcing to technology providers in the financial services sector.

The plans for DORA are not only significant because of the toughened obligations that financial institutions would be subject to, in areas such as business continuity and disaster recovery and the reporting of major ICT-related incidents, as well as in relation to contractual arrangements they put in place with ICT third-party service providers. DORA also envisages direct regulation of major technology providers to financial entities for the first time, under a framework that would give powers to the ESAs to designate specific ICT third-party service providers as subject to regulation and to then oversee their compliance.

McFadyen said: “The eye-catching aspect of DORA is how it will impact critical technology suppliers to the financial services sector – this is a huge shift as only a few that currently support financial market infrastructure are directly caught by sectoral regulation. Suppliers will need to consider the optimal way of responding to this. It has now been confirmed that critical third-country ICT service providers to financial entities in the EU will be required to establish a subsidiary within the EU to facilitate effective regulatory oversight, however EU-based providers will also want to consider whether it makes sense to establish separate subsidiaries to ring-fence their operations in the financial services sector.”

McFadyen said that DORA will have a “widespread” impact on firms and that the legislation “continues a regulatory trend of expecting stronger controls across all technology services, not only those provided on an outsourced basis which is where regulation has focused in the past”. He said this had been “triggered by repeat examples of technology outages and degradation directly harming consumers”.

“There is a huge emphasis on board and senior management up-skilling and responsibility,” McFadyen said. “From investigations conducted on major incidents, evidence has shown that there has been poor engagement on technology resilience and change at the most senior levels within regulated firms – and this must change.”

The DORA text that the European Parliament and Council of Ministers have provisionally agreed on has not yet been made public. However, a statement issued by the Council provided some high-level detail of what has been agreed.

“DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats,” the Council said. “These requirements are homogenous across all EU member states. The core aim is to prevent and mitigate cyber threats.”

“Under the provisional agreement, the new rules will constitute a very robust framework that boosts the IT security of the financial sector. The efforts asked from financial entities will be proportional to the potential risks,” it said.

“Critical third-country ICT service providers to financial entities in the EU will be required to establish a subsidiary within the EU so that oversight can be properly implemented,” it said.

Both the Council and the Parliament will need to formally adopt the finalised text for DORA to become law.

The Commission’s new public consultation, which is open to 2 August 2022, also seeks views on a potential new ‘open finance’ framework more generally. In addition to the public consultation, a separate more targeted consultation on open finance has also been opened by the Commission.

Open finance is a concept that imagines access to the data in financial services being opened up beyond those institutions that hold the data and then subsequently used to deliver new and innovative services. The concept goes beyond the scope of just payment account data that PSD2 applies to. The Commission’s digital finance strategy, also published in September 2020, envisages the development of a new EU open finance framework by 2024.

One of the questions posed in the public consultation is, “should financial service providers holding your data be obliged to share them with other financial or third-party service providers, provided that you have given your consent?”.

The Commission has also progressed a separate initiative it trailed in its digital finance strategy in recent days, tabling proposed revisions to EU rules on distance marketing of consumer financial services. In its strategy it had said it would “assess whether and how the customer protection and conduct aspects of a number of items of EU legislations can be improved to take account of new, digital ways of providing financial services” and made specific reference to the requirements under the existing Distance Marketing of Financial Services Directive.

The Commission’s proposals are designed to make it easier for consumers to withdraw from financial services contracts entered into online within 14 days of entering into those contracts. They also address the content, form and prominence of pre-contractual information that financial services providers must share with consumers.

The proposals also promise to stiffen business’ disclosure obligations around the use of roboadvice tools or chat bots and make it easier for consumers to request human intervention.

The draft new rules would also prohibit businesses from using “the structure, design, function or manner of operation of their online interface in a way that could distort or impair consumers’ ability to make a free, autonomous and informed decision or choice”.